[Samba] domain admins not being applied to windows box

Paul Gienger pgienger at ae-solutions.com
Tue Aug 3 12:36:58 GMT 2004 

If you look at your group mapping list, you have duplicates for Domain 
Users and Domain Admins.  Delete these mappings with the net groupmap 
command (you may have to delete each twice) and then re-add them.  The 
SIDs should be the -5xx ones, not -1219 or -3005

Conrad Wood wrote:

>Hi,
>
>I have recently upgaded from samba 2.2 to samba 3.0.
>I used to have "domain admin group = @winadmin" in my smb.conf,
>but I understand from the documentation that it is deprecated
>in favour of 
>"net groupmap set "Domain Admin" winadmin".
>
>I would expect unix users who are members of the
>unix group winadmin to become Domain Admins, then,
>but they don't ?.
>
>Do I understand this correctly that unix users
>that are a member of the unix group winadmin
>then will be "advertised" as being a member of
>the NT Group "Domain Admins" to windows machines?
>The windows box applies whatever permissions the
>"Domain Admins" have for this box, by default "Administrator"?
>
>My server is a debian gnu/linux box in a test environment.
>My windows machine(s) are run within vmware, windows XP and 2k.
>
>Details:
>
>************************* snip **************
>on the server the groupmapping is as follows:
>root at smoke:~# net groupmap list
>System Operators (S-1-5-32-549) -> -1
>Replicators (S-1-5-32-552) -> -1
>Guests (S-1-5-32-546) -> -1
>Domain Users (S-1-5-21-520677601-194623159-390525435-513) -> cnw
>Domain Admins (S-1-5-21-520677601-194623159-390525435-1219) -> winadmin
>Domain Users (S-1-5-21-520677601-194623159-390525435-3005) -> cnw
>Power Users (S-1-5-32-547) -> -1
>Print Operators (S-1-5-32-550) -> -1
>Administrators (S-1-5-32-544) -> winadmin
>Account Operators (S-1-5-32-548) -> -1
>Domain Guests (S-1-5-21-520677601-194623159-390525435-514) -> -1
>Domain Admins (S-1-5-21-520677601-194623159-390525435-512) -> winadmin
>Backup Operators (S-1-5-32-551) -> -1
>Users (S-1-5-32-545) -> winadmin
>****************************************************************
>
>On windows it seems to accept that ish:
>(intented to copy and paste from a msdos box but failed miserably
>so here's the written out extract ;) )
>c:\>net user cnw /DOMAIN
>.... blurb....
>Local Group Memberships   *dialout                 <- WTF???
>Global Group memberships   *Domain Users *Domain Admins
>The command completed sucessfully.
>c:\>
>
>*****************************************************************
>
>Doesn't above mean I should be administrator (when logged in
>as cnw)? (And before you ask, cnw *is* a member of winadmin ;) )
>However, if I try to open the TCP/IP properties windows tells me
>that I do not have access...
>
>I am new to samba 3.0 and so far only read the publicly available
>documentation, so I would like to double check whether I understand
>this correctly.
>
>Thank you,
>
>Conrad
>
>
>
>  
>

-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger at ae-solutions.com

More information about the samba mailing list